diff --git a/Gemfile b/Gemfile index c8e567346..107a8e4dd 100644 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source 'https://rubygems.org' gem 'rails', '~> 3.2.22' gem 'rack-protection', '~> 1.5.3' -gem 'secure_headers', '~> 2.5.1' +gem 'secure_headers', '~> 3.0.3' gem 'rack-mini-profiler', require: false @@ -145,7 +145,11 @@ group :test do gem 'poltergeist', '~> 1.8.0' gem 'launchy', '~> 2.4.3' - gem 'cucumber-rails', '~> 1.4', require: false + gem 'cucumber-rails', '~> 1.4.2', require: false + # Versions >= 2.0 are not supported by our formatter. + # This is a dependency of cucumber-rails. We need to limit the version to 1.x + gem 'cucumber', '~> 1.3', require: false + # Code Coverage Analysis gem 'simplecov', '~> 0.11.0', require: false diff --git a/Gemfile.lock b/Gemfile.lock index b43c5ddba..94793794b 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -84,10 +84,9 @@ GEM addressable (2.3.8) ansi (1.5.0) arel (3.0.3) - autoprefixer-rails (6.3.1) + autoprefixer-rails (6.3.3.1) execjs - json - bcrypt (3.1.10) + bcrypt (3.1.11) better_errors (2.1.1) coderay (>= 1.0.0) erubis (>= 2.6.6) @@ -99,7 +98,7 @@ GEM sass (>= 3.3.0) bootstrap-select-rails (1.6.3) builder (3.0.4) - byebug (8.2.1) + byebug (8.2.2) cancan (1.6.10) capistrano (3.4.0) i18n @@ -108,7 +107,7 @@ GEM capistrano-bundler (1.1.4) capistrano (~> 3.1) sshkit (~> 1.2) - capistrano-rails (1.1.5) + capistrano-rails (1.1.6) capistrano (~> 3.1) capistrano-bundler (~> 1.1) capistrano-rvm (0.1.2) @@ -120,7 +119,7 @@ GEM rack (>= 1.0.0) rack-test (>= 0.5.4) xpath (~> 2.0) - celluloid (0.17.2) + celluloid (0.17.3) celluloid-essentials celluloid-extras celluloid-fsm @@ -133,7 +132,7 @@ GEM timers (>= 4.1.1) celluloid-fsm (0.20.5) timers (>= 4.1.1) - celluloid-io (0.17.2) + celluloid-io (0.17.3) celluloid (>= 0.17.2) nio4r (>= 1.1) timers (>= 4.1.1) @@ -144,7 +143,7 @@ GEM choice (0.2.0) chunky_png (1.3.5) cliver (0.3.2) - coderay (1.1.0) + coderay (1.1.1) coffee-rails (3.2.2) coffee-script (>= 2.2.0) railties (~> 3.2.0) @@ -173,13 +172,13 @@ GEM gherkin (~> 2.12) multi_json (>= 1.7.5, < 2.0) multi_test (>= 0.1.2) - cucumber-rails (1.4.2) + cucumber-rails (1.4.3) capybara (>= 1.1.2, < 3) - cucumber (>= 1.3.8, < 2) - mime-types (>= 1.16, < 3) + cucumber (>= 1.3.8, < 3) + mime-types (>= 1.16, < 4) nokogiri (~> 1.5) - rails (>= 3, < 5) - d3_rails (3.5.11) + railties (>= 3, < 5) + d3_rails (3.5.16) railties (>= 3.1.0) dagnabit (3.0.1) activerecord (>= 2.3.0) @@ -187,7 +186,7 @@ GEM rails (>= 3.0.0) database_cleaner (1.5.1) debug_inspector (0.0.2) - devise (3.5.5) + devise (3.5.6) bcrypt (~> 3.0) orm_adapter (~> 0.1) railties (>= 3.2.6, < 5) @@ -196,7 +195,7 @@ GEM warden (~> 1.2.3) diff-lcs (1.2.5) docile (1.1.5) - domain_name (0.5.25) + domain_name (0.5.20160216) unf (>= 0.0.5, < 1.0.0) dotenv (1.0.2) easy_translate (0.5.0) @@ -233,14 +232,14 @@ GEM sigar (~> 0.7.3) state_machine thor - facter (2.4.4) + facter (2.4.6) CFPropertyList (~> 2.2.6) factory_girl (4.5.0) activesupport (>= 3.0.0) factory_girl_rails (4.5.0) factory_girl (~> 4.5.0) railties (>= 3.0.0) - faker (1.6.1) + faker (1.6.3) i18n (~> 0.5) faraday (0.9.2) multipart-post (>= 1.2, < 3) @@ -272,7 +271,7 @@ GEM has_scope (0.6.0) actionpack (>= 3.2, < 5) activesupport (>= 3.2, < 5) - hashdiff (0.2.3) + hashdiff (0.3.0) hashie (3.4.3) highline (1.7.8) hike (1.2.3) @@ -316,7 +315,7 @@ GEM jquery-ui-rails (5.0.5) railties (>= 3.2.16) json (1.8.3) - json-schema (2.6.0) + json-schema (2.6.1) addressable (~> 2.3.8) json-stream (0.2.1) kaminari (0.16.3) @@ -347,7 +346,7 @@ GEM net-ssh (>= 2.6.5) net-ssh (3.0.2) netrc (0.11.0) - nio4r (1.2.0) + nio4r (1.2.1) nokogiri (1.6.7.2) mini_portile2 (~> 2.0.0.rc2) options (2.3.2) @@ -371,14 +370,14 @@ GEM pry (~> 0.10) pry-rails (0.3.4) pry (>= 0.9.10) - puma (2.15.3) + puma (3.1.0) quiet_assets (1.1.0) railties (>= 3.1, < 5.0) rack (1.4.7) rack-cache (1.6.1) rack (>= 0.4) - rack-mini-profiler (0.9.8) - rack (>= 1.1.3) + rack-mini-profiler (0.9.9.2) + rack (>= 1.2.0) rack-protection (1.5.3) rack rack-ssl (1.3.4) @@ -393,7 +392,7 @@ GEM activesupport (= 3.2.22.2) bundler (~> 1.0) railties (= 3.2.22.2) - rails-erd (1.4.5) + rails-erd (1.4.6) activerecord (>= 3.2) activesupport (>= 3.2) choice (~> 0.2.0) @@ -405,10 +404,10 @@ GEM rake (>= 0.8.7) rdoc (~> 3.4) thor (>= 0.14.6, < 2.0) - rainbow (2.0.0) + rainbow (2.1.0) rake (10.5.0) rb-fsevent (0.9.7) - rb-inotify (0.9.5) + rb-inotify (0.9.7) ffi (>= 0.5.0) rdf (1.99.1) link_header (~> 0.0, >= 0.0.8) @@ -444,7 +443,7 @@ GEM http-cookie (>= 1.0.2, < 2.0) mime-types (>= 1.16, < 3.0) netrc (~> 0.7) - rspec-activemodel-mocks (1.0.2) + rspec-activemodel-mocks (1.0.3) activemodel (>= 3.0) activesupport (>= 3.0) rspec-mocks (>= 2.99, < 4.0) @@ -477,8 +476,8 @@ GEM railties (~> 3.2.0) sass (>= 3.1.10) tilt (~> 1.3) - secure_headers (2.5.1) - user_agent_parser + secure_headers (3.0.3) + useragent shoulda (3.5.0) shoulda-context (~> 1.0, >= 1.0.1) shoulda-matchers (>= 1.4.1, < 3.0) @@ -500,7 +499,7 @@ GEM simple_form (2.1.3) actionpack (~> 3.0) activemodel (~> 3.0) - simplecov (0.11.1) + simplecov (0.11.2) docile (~> 1.1.0) json (~> 1.8) simplecov-html (~> 0.10.0) @@ -534,7 +533,7 @@ GEM tilt (1.4.1) timers (4.1.1) hitimes - tins (1.8.1) + tins (1.8.2) treetop (1.4.15) polyglot polyglot (>= 0.3.1) @@ -545,12 +544,12 @@ GEM underscore-rails (1.8.3) unf (0.1.4) unf_ext - unf_ext (0.0.7.1) - user_agent_parser (2.3.0) + unf_ext (0.0.7.2) + useragent (0.16.5) uuid (2.3.8) macaddr (~> 1.0) vcr (3.0.1) - warden (1.2.4) + warden (1.2.6) rack (>= 1.0) webmock (1.22.6) addressable (>= 2.3.6) @@ -582,7 +581,8 @@ DEPENDENCIES codemirror-rails! coffee-rails (~> 3.2.2) compass (~> 1.0.3) - cucumber-rails (~> 1.4) + cucumber (~> 1.3) + cucumber-rails (~> 1.4.2) d3_rails (~> 3.5.6) dagnabit (~> 3.0.1) data_migrate (~> 1.2.0) @@ -641,7 +641,7 @@ DEPENDENCIES ruby-graphviz (~> 1.2.2) rugged (~> 0.23.2) sass-rails (~> 3.2.6) - secure_headers (~> 2.5.1) + secure_headers (~> 3.0.3) shoulda (~> 3.5.0) shoulda_routing_macros (~> 0.1.2) sidekiq (~> 3.5.3) diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb index 76f5ff08c..fd7599b04 100644 --- a/app/controllers/application_controller.rb +++ b/app/controllers/application_controller.rb @@ -7,7 +7,6 @@ class ApplicationController < ActionController::Base end protect_from_forgery - ensure_security_headers include Pagination include PathHelpers diff --git a/config/initializers/security_headers.rb b/config/initializers/security_headers.rb index 578333981..c9ba7299c 100644 --- a/config/initializers/security_headers.rb +++ b/config/initializers/security_headers.rb @@ -1,5 +1,5 @@ ::SecureHeaders::Configuration.default do |config| - config.hsts = 'max_age=99; include_subdomains=true' + config.hsts = 'max-age=99; includeSubdomains' config.x_frame_options = 'DENY' config.x_content_type_options = 'nosniff' config.x_xss_protection = '1; mode=block' @@ -16,6 +16,5 @@ media_src: %w('self'), object_src: %w('self'), child_src: %w('self'), - disable_chrome_extension: true, } end diff --git a/spec/controllers/home_controller_spec.rb b/spec/controllers/home_controller_spec.rb index 637ac000b..a58ec46fb 100644 --- a/spec/controllers/home_controller_spec.rb +++ b/spec/controllers/home_controller_spec.rb @@ -1,18 +1,10 @@ require 'spec_helper' describe HomeController do - describe "show" do before { get :show } it { should respond_with :success } it { should render_template :show } - - describe 'csp headers' do - subject{ response.headers["Content-Security-Policy-Report-Only"] } - it{ should include "style-src 'self' 'unsafe-inline';" } - it{ should include "script-src 'self';" } - it{ should include "default-src 'self';" } - end end context 'on GET to index' do